Call for public-key-secret-sharing software for benchmarking

eBATS (ECRYPT Benchmarking of Asymmetric Systems)
is a competition for the most efficient public-key systems.
eBATS measures public-key-secret-sharing systems
according to the following criteria:

Time to generate a key pair.

Length of the secret key.

Length of the public key.

Time to generate a shared secret from the secret key and another user's public key.

Length of the shared secret.

``Time'' refers to time on real computers:
cycles on a Pentium III 68a,
cycles on a PowerPC G5,
cycles on an Athlon 64 X2,
etc.
eBATS times each system on a wide variety of computers,
ensuring direct comparability of all systems
on whichever computers are of interest to the users.
Tools to graph the results will be made available.

Introduction to the eBATS secret-sharing API

Formal submission requirements have been kept to a minimum.
Your software has to be
a secret-sharing BAT (Benchmarkable Asymmetric Tool),
meaning that it supports the following two functions:

keypair, returning a secret key and a public key;
and

sharedsecret, reading a secret key and another public key,
returning a shared secret.

You can also provide additional functions
that document additional features of your system:

cdhchance,
documenting resistance to the best two-key attack known.

multiplekeycdhchance,
documenting resistance to the best multiple-key attack known.

fakekeyttacks,
documenting resistance to fake-key attacks.

timingattacks,
documenting resistance to timing attacks.

copyrightclaims,
documenting copyright claims against distribution of the software.

patentclaims,
documenting patent claims against use of the software.

Claims regarding these additional features
do not have the same level of verifiability
as the eBATS measurements of key size, secret-sharing time, etc.;
eBATS will nevertheless report these claims for public discussion.

The eBATS secret-sharing API is described below in more detail.
There's a
separate page on BATMAN,
the eBATS benchmarking software;
you will be able to download and use BATMAN
before submission to check that your implementation works properly.
There's also a
separate page
discussing security evaluations in more detail.

Files in a secret-sharing BAT

A secret-sharing BAT is a tar.gz file containing one directory.
The directory contains a file sizes.h,
any number of additional
*.S, *.c, and *.cpp files
implementing the eBATS secret-sharing API,
and a file documentation.pdf with references and other comments for cryptographers.

The directory name is the BAT name followed by a dash and a version number:
e.g., ronald-1 for a BAT named ronald, version 1.
eBATS will rename BATs if there is a conflict in names.

BATMAN will automatically decide whether the BAT
is a C BAT,
providing the eBATS API functions in C,
or a C++ BAT,
providing the eBATS API functions in C++.
Either way, the BAT can call C functions in its *.c files
and assembly-language functions in its *.S files.
BATs written in other languages
have to be compiled to C++, C, or assembly language.

Parametrized BATs

Some BATs allow parameters.
For example, a typical DH implementation
allows a wide range of key sizes.
On the other hand,
some DH implementations gain speed
by focusing on particular key sizes.

The eBATS API can support BATs of either type.
A parametrized BAT includes, in the same directory as sizes.h,
a parameters file with several lines;
each line specifies compilation options
that select a particular parameter choice.
A parameter choice is specified by BAT-specific macros,
which are used by sizes.h etc.,
and by a PARAMETERS macro (without white space),
which is used to identify parameters in the eBATS results.

For example,
version 1 of the RONALD BAT
has a 29-line parameters file
starting

Tuned BATs

A BAT can contain several implementations of the same functions:
e.g., a P4-tuned implementation, a G5-tuned implementation, etc.
A tuned BAT includes, in the same directory as sizes.h,
a tunings file with several lines;
each line specifies compilation options
that select a particular tuning.
A tuning is specified by BAT-specific macros,
which are used by sizes.h etc.,
and by a TUNING macro (without white space),
which is used to identify tuning in the eBATS results.

BATMAN will automatically try each tuning
and select the tuning where sharedsecret runs most quickly.
A BAT can define a TUNETARGET macro in sizes.h;
in that case BATMAN will select the tuning
where TUNETARGET() runs most quickly.

Any particular tuning is allowed to be unportable,
failing to compile on most platforms.
BATMAN will skip tunings that don't compile
or that flunk some simple tests.

Generating random numbers

BATMAN sets up file descriptor 0
reading from a neverending source of hard-to-predict secret random bytes.
BATs are free to assume this:
the keypair function, for example,
can obtain secret bytes using getchar().

Functions are permitted, but not encouraged,
to generate randomness in other ways,
such as by opening /dev/urandom.
These functions
won't be benchmarkable on systems that don't have /dev/urandom,
and they won't be suitable for black-box regression testing.

Using hash functions

BATMAN provides a cryptographic hash function hash256
callable from a BAT as follows:

To simplify comparisons of public-key systems,
eBATS recommends that BATs use hash256 for all necessary hashing.
This is not a recommendation of SHA-256
for any purpose other than public-key benchmarking.
Public-key systems may be able to gain speed and security
by choosing different hash functions.

To the extent that eBATS considers security of public-key systems,
it focuses on generic attacks,
i.e., attacks that work with any hash function.
Any security problems in SHA-256 are outside the scope of eBATS,
although obviously they should be discussed elsewhere.

Using stream ciphers

BATMAN provides an additive stream cipher stream256
callable from a BAT as follows:

To simplify comparisons of public-key systems,
eBATS recommends that BATs use stream256 for all necessary stream generation.
This is not a recommendation of Salsa20
for any purpose other than public-key benchmarking.
Public-key systems may be able to gain speed and security
by choosing different ciphers.

To the extent that eBATS considers security of public-key systems,
it focuses on generic attacks,
i.e., attacks that work with any stream cipher.
Any security problems in Salsa20
are outside the scope of eBATS,
although obviously they should be discussed elsewhere.

keypair: generate a new secret key and public key

A secret-sharing BAT must provide a keypair function
callable as follows:

The keypair function
generates a new secret key and a new public key.
It puts the number of bytes of the secret key into sklen;
puts the number of bytes of the public key into pklen;
puts the secret key into
sk[0], sk[1], ..., sk[sklen-1];
and puts the public key into
pk[0], pk[1], ..., pk[pklen-1].
It then returns 0.

keypair
guarantees that sklen is at most SECRETKEY_BYTES,
and that pklen is at most PUBLICKEY_BYTES,
so that the caller can allocate enough space.

If key generation is impossible for some reason
(e.g., not enough memory),
keypair returns a negative number,
possibly after modifying sk[0], sk[1], etc.
Current implementations should return -1;
other return values with special meanings may be defined in the future.

sharedsecret: generate a shared secret using a secret key and another user's public key

A secret-sharing BAT must provide a sharedsecret function
callable as follows:

The sharedsecret function
uses a secret key
sk[0], sk[1], ..., sk[sklen-1]
and another user's public key
pk[0], pk[1], ..., pk[pklen-1]
to compute a shared secret.
It puts the length of the shared secret into slen
and puts the shared secret into
s[0], s[1], ..., s[slen-1].
It then returns 0.

The sharedsecret function
guarantees that slen is at most SHAREDSECRET_BYTES.
The SHAREDSECRET_BYTES macro is defined in sizes.h.

The sharedsecret function
is free to assume that the secret key
sk[0], sk[1], ..., sk[sklen-1]
was generated by a successful call to the keypair function.

If shared-secret generation is impossible for some reason,
sharedsecret returns a negative number,
possibly after modifying s[0], s[1], etc.
Current implementations should return -1;
other return values with special meanings may be defined in the future.

cdhchance: report effectiveness of best attack known

A secret-sharing BAT can provide a cdhchance function
callable as follows:

#include "sizes.h"
double e;
double s;
double p = cdhchance(e,s);

The cdhchance function
returns a number between 0 and 1,
namely the probability
that an attacker spending e euros and s seconds
can deduce a shared secret given two public keys.
Here e and s
are powers of 2 between 2^0 and 2^40.

The cdhchance function
is free to ignore attacks
that merely distinguish the shared secret from uniform (DDH)
without computing the shared secret (CDH);
shared secrets are presumed to be hashed before they are used.

There is a separate page
with more information on security evaluations.

multiplekeycdhchance: report effectiveness of best attack known

A secret-sharing BAT can provide
a multiplekeycdhchance function
callable as follows:

The multiplekeycdhchance function
returns a number between 0 and 1,
namely the probability
that an attacker spending e euros and s seconds
can deduce at least one shared secret
given k public keys.
(More precisely, there are public keys key_1, key_2, ..., key_k;
the attack is successful if it prints a vector i, j, z
where 1<=i<j<=k and
z is the secret shared between key_i and key_j.)
Here e, s, and k
are powers of 2 between 2^0 and 2^40.

The result of multiplekeycdhchance
can be larger than the result of cdhchance
by a factor as large as k(k-1)/2.

fakekeyattacks: report extra effectiveness of fake-key attacks

A secret-sharing BAT can provide an fakekeyattacks function
callable as follows:

#include "sizes.h"
int x = fakekeyattacks();

The fakekeyattacks function
returns 100 if an active attacker can save time by providing fake keys
(in applications that do not go to any extra effort to validate keys).
It returns 0 if an active attacker obtains no benefit from fake keys
(for example, if the sharedsecret function includes all necessary key validation).

timingattacks: report extra effectiveness of timing attacks

A secret-sharing BAT can provide a timingattacks function
callable as follows:

#include "sizes.h"
int x = timingattacks();

The timingattacks function
returns 0 if the software
does not leak any secret information through timing
(variable time for branching, variable time for memory access, etc.):
i.e., if the best attack known that sees timings
is as difficult as the best attack known that does not see timings.
It returns 100 if the software leaks secret information through timing.

copyrightclaims: report copyright claims

A secret-sharing BAT can provide a copyrightclaims function
callable as follows:

#include "sizes.h"
int x = copyrightclaims();

The copyrightclaims function returns
one of the following numbers:

0: There are no known present or future claims
by a copyright holder
that the distribution of this software infringes the copyright.
In particular, the author of the software is not making such claims
and does not intend to make such claims.

10: The author is aware of third parties making such claims,
but the author disputes those claims.

20: The author is aware of third parties making such claims,
and the author agrees with the claims,
but the author has no financial connections to the copyright.

30: The author has financial connections to a copyright
restricting distribution of this software.

More numbers may be defined in the future.

No matter what the BAT's copyright status is,
eBATS will publicly distribute copies of the BAT for benchmarking.
The submitter must ensure before submission that publication is legal.

patentclaims: report patent claims

A secret-sharing BAT can provide a patentclaims function
callable as follows:

#include "sizes.h"
int x = patentclaims();

The patentclaims function returns
one of the following numbers:

0: There are no known present or future claims
by a patent holder that the use of this software infringes the patent.
In particular, the author of the software is not making such claims
and does not intend to make such claims.

10: The author is aware of third parties making such claims,
but the author disputes those claims.

20: The author is aware of third parties making such claims,
and the author agrees with the claims,
but the author has no financial connections to the patent.

30: The author has financial connections to a patent
restricting use of this software.

More numbers may be defined in the future.

No matter what the BAT's patent status is,
eBATS will publicly distribute copies of the BAT for benchmarking.

Version

This is version 2006.06.16 of the call-secretsharing.html web page.
This web page is in the public domain.